auth-js
auth-js copied to clipboard
supabase
Password Reset Flow not working as documented
Bug report
Describe the bug
As heavily discussed there is a bug that logs the user in when they go to reset their password: https://github.com/supabase/supabase/discussions/3360
The onAuthStateChange shows this happening by firing the SIGNED IN event before the PASSWORD_RECOVERY event. I would imagine this is undesirable for everyone. This also causes the hash-bang url to get cleared in the browser immediately on page load, which prevents some apps from grabbing the documented access_token for later use.
To Reproduce
- Follow the official guide here whilst listening to the
onAuthStateChangeevent: https://supabase.com/docs/reference/javascript/auth-api-resetpasswordforemail - Also witness the hash-bang url being cleared on page load.
Expected behavior
- The hashbang url to not be cleared
- Only the PASSWORD_RECOVERY event to fire.
- No SIGNED_IN event should fire on page load.
Screenshots
System information
- OS: macOS
- Browser Chrome
- Version of supabase-js: @supabase/supabase-js 1.1.2
- Version of Node.js: v16.13.1
Same issue on my side, PASSWORD_RECOVERY hasn't fired, only SIGNED_IN with link from reset-password e-mail. Have you any update ?
I'm seeing this issue as well. The PASSWORD_RECOVERY event used to fire when going to the URL in the Reset Password email, but for whatever reason doesn't anymore. I know this because my old code that used to run perfectly fine is no longer working as expected.
Having a similar issue, I just get SIGNED_IN instead of PASSWORD_RECOVERY
FWIW I fixed my issue by avoiding the auth event altogether and just making sure the link redirects the user to the correct page:
await supabase.auth.resetPasswordForEmail(email, {
redirectTo: `${window.location.origin}/reset-password`,
})
Please avoid relying on the sequence of events fired in the onAuthStateChange callback as the order is never guaranteed.
You can always use getSession() to safely access the latest access token.
I'm quite new to Supabase, I've been hearing it a lot and wanted to give it a go in a side project. But seeing this issue open for more than a year is a bit surprising considering its impact, but hopefully the fix is on the way I believe 🤞 #629
Meanwhile, before I came across #629 and after spending several hours trying to make my frontend flow nice and tight, I gave up on using onAuthStateChange and I am not sure what I am losing by not using it.
Fwiw, to prevent user from being logged it white reset password op, I do this;
- I am using the following in my Reset Password email:
<p><a href="{{ .SiteURL }}/reset-password?confirmation_url={{ .ConfirmationURL }}%26token%3d{{ .Token}}%26email%3d{{ .Email}}">Reset Password
-
Then when user lands on
/reset-passwordwithout doing anyauth.getSession(), pick up theconfirmation_urlfrom url, run it throughnew URLSearchParams, extract thetoken,email,type. -
Manually call
auth.verifyOtp({ token, email, type }) -
Finally call
updatePassword({ password })
Hey @abdulrahimiliasu and @laygir, we've already merged in the PR to fix this issue: https://github.com/supabase/gotrue-js/pull/629 so we'll be closing this issue. Please feel free to reopen it if you're still experiencing the same issue.
@jonathanlal We're you able to fix? Running into the same issue despite the fix being released.
After clicking confirmation (redirect) url, I am NOT getting any event to fire in my session provider. My redirect takes me to the correct path, but if I submit the updateUser method with the new password, I get an error response "Auth session missing!". Other events, initial session, signed in, signed out are working just fine.
supabase-js: 2.40.0
I'm using React Native bare project with expo modules.
